Tools Directory
Searchable, filterable directory of major OWASP security tools across DAST, SAST, SCA, Training, and more.
APICheck
The DevSecOps toolset for REST APIs. A complete toolset designed and created for testing REST APIs. Part of the OWASP Incubator Projects.
Bandit
A tool designed to find common security issues in Python code. It processes each file, builds an AST, and runs appropriate plugins against it.
Brakeman
A static analysis security vulnerability scanner for Ruby on Rails applications. Detects 50+ vulnerability types without requiring full test suites.
Cheat Sheet Series
The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
crAPI
Completely Ridiculous API (crAPI) helps developers understand ten most critical API security risks. It has vulnerable by design API service.
CycloneDX
A lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
DefectDojo
An open-source application vulnerability management tool that streamlines the testing process by offering templating, report generation, metrics and baseline self-service tools.
Docker Bench for Security
A script that checks for dozens of common best-practices around deploying Docker containers in production, based on the CIS Docker Benchmark.
DSVPWA
Docker-based Sophisticated Vulnerable PHP Web Application. Provides 25+ vulnerabilities deliberately introduced for security training.
Find Security Bugs
The SpotBugs plugin for security audits of Java web applications and Android applications. Detects 140+ bug patterns with over 900 unique APIs.
Gosec
Golang security checker. Inspects source code for security problems by scanning the Go AST and checking for violations of CWE/OWASP rules.
iGoat-Swift
A vulnerable iOS app for learning iOS security. iGoat is a learning tool for iOS developers and mobile app pentesters.
Juice Shop CTF
Tooling for setting up Juice Shop in a CTF event. Generate score-board, challenge flags and integrate with common CTF frameworks.
MobSF
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application penetration testing, malware analysis and security assessment framework for Android, iOS and Windows Mobile.
NodeGoat
A purposely vulnerable Node.js application maintained by OWASP to help learn how OWASP Top 10 security risks apply to web applications in Node.js.
O-Saft
OWASP SSL advanced forensic tool. Shows information about SSL certificate and tests the SSL connection according to a given list of ciphers and various SSL/TLS methods.
OWASP Amass
In-depth attack surface mapping and asset discovery. Uses open source information gathering and active reconnaissance techniques.
OWASP API Security Project
A project focused on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs).
OWASP AppSensor
A conceptual framework and methodology that offers prescriptive guidance to implement intrusion detection and automated response into applications.
OWASP ASVS
Application Security Verification Standard. A framework of security requirements that focus on defining the security controls required when designing, developing and testing modern web applications.
OWASP Coraza
Enterprise-grade Web Application Firewall framework that supports Modsecurity syntax and is designed to be highly performant in API gateway and reverse proxy scenarios.
OWASP CSRFGuard
A library that implements a variant of the synchronizer token pattern to mitigate the risk of Cross-Site Request Forgery (CSRF) attacks.
OWASP Dependency-Check
A Software Composition Analysis (SCA) tool that detects publicly disclosed vulnerabilities contained within a project's dependencies.
OWASP Dependency-Track
An intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
OWASP Glue
A framework for running a series of tools as part of application security pipeline automation.
OWASP Juice Shop
Probably the most modern and sophisticated insecure web application for security trainings, CTFs and demos. Contains vulnerabilities from the entire OWASP Top Ten.
OWASP Maryam
Open-source OSINT framework that provides various tools for intelligence gathering, data collection, and reconnaissance.
OWASP MASTG
Mobile Application Security Testing Guide. The ultimate guide for mobile app security testing and reverse engineering.
OWASP ModSecurity CRS
The OWASP ModSecurity Core Rule Set (CRS) is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls.
OWASP Nettacker
Automated penetration testing framework and information gathering tool. Supports various vulnerability scanning modules for network assets.
OWASP OWTF
Offensive Web Testing Framework. An OWASP+PTES focused try to unite great tools and make pen testing more efficient, via a web UI.
OWASP SAMM
Software Assurance Maturity Model. An open framework to help organizations formulate and implement a strategy for software security.
OWASP Semgrep Rules
Community-maintained Semgrep rules targeting OWASP vulnerabilities. Enables lightweight static analysis in CI/CD pipelines for multiple languages.
OWASP SKF
Security Knowledge Framework is an open-source web application that explains secure coding principles in multiple programming languages.
OWASP Threat Dragon
An open source threat modeling tool from OWASP. It can be used as a desktop app for Windows, Mac and Linux or as a web application.
OWASP WSTG
The Web Security Testing Guide is a comprehensive open source guide for testing the security of modern web applications and web services.
OWASP ZAP
The world's most widely used web app scanner. A flagship OWASP project for finding vulnerabilities in web applications during development and testing.
pytm
A Pythonic framework for threat modeling. Define your system in Python, and pytm will generate a data flow diagram, a sequence diagram, and a list of applicable threats.
RailsGoat
A vulnerable version of the Ruby on Rails Framework from versions 3 to 5. It includes vulnerabilities from the OWASP Top 10, as well as some bad practices.
Security Shepherd
A web and mobile application security training platform built to foster and improve security knowledge in users of varying skill levels.
SonarQube Security Rules
SonarQube security-focused rules covering OWASP Top 10 and CWE standards for Java, Python, JavaScript, TypeScript, C/C++, and more.
SpotBugs
A program which uses static analysis to look for bugs in Java code. SpotBugs is the spiritual successor of FindBugs, carrying on from the point where it left off.
Vulnado
Intentionally Vulnerable Java Application. Demonstrates common web vulnerabilities in a simple Spring Boot application for training purposes.
WebGoat
A deliberately insecure web application maintained by OWASP designed to teach web application security lessons. Supports over 30 lessons covering OWASP Top 10 vulnerabilities.
WrongSecrets
Vulnerable app with examples showing how to NOT use secrets. Helps people learn about secret management best practices in cloud and container environments.